Correct NTFS permission to prevent moving folders

If I remember in Windows 2000, we used to grant Write permissions to end users on a Folder, example Fold1. This will give them the capability to create new folders and files under Fold1. This will prevent them to delete files and folders that have been created by other users. it will also prevent them from copying or moving a folder create by other users to different location.

I am not sure why in the newer files systems version, when I gave user write permissions to a folder, they could not create anything inside the folder.

Any help ?

Thank you
jskfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
There are more granular controls on newer systems, you have to add an explicit deny delete rule to prevent delete which is a component of a move (copy then delete original)

Check whether the write applies to the folder itself or to the items below.

How did you add the write right and to which security resource of the folder.
Please provide the output of the following command on the folder in question
icacls folder
Note this only applies to the security setting. You need to also make changes to grant write rights on the file sharing permissions.

The two work based on most restrictive.
Between the sharing permissions and the securit settings  the user has the lowest possible rights in the combination.

I.e. If sharing permissions do not include write rights, the user will not be able to write into the share.
If the share grants all full rights, but group of X only has read rights, members of X that are not members of others group will be limited through the security permissions to read rights only.
0
MaheshArchitectCommented:
check the complete article below, it should clear all your concerns
https://www.experts-exchange.com/articles/17526/Windows-File-Server-Folder-ownership-problems-and-resolution.html
Last section list best practices
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NVITCommented:
> it will also prevent them from copying or moving a folder create by other users to different location

You didn't mention if they can read but.... If they can read the files, they can copy them too.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

jskfanAuthor Commented:
On the Share
in Share permissions tab : Authenticated Users : Full Control
In Security tab : Authenticated Users : Read , This folder Only

on the Folders inside the Share, Specific AD Groups  have Write permissions. Obviously when you Check the box "Write" , other subsequent permissions related to Write also get check off.

The Write permissions is applied to this folder, subfolders and files.
0
arnoldCommented:
Please post the icacls output as it enumerated, and the membership to which a user belongs will reflect what rights they have on the folder and contents.

Your question, in order to provide you the answer, I need the information requested.

On the security tab, advanced, there is an effective permissions tab, here you can check what the effective permissions a specific user or group will have on the folder that you are testing.
If you prefer to not post the icacls output.

Note the icacls folder will reflect info including inherited permissions from the parent folder and applicable to subfolders provided they too are set to inherit permission from the upper folder.
0
NVITCommented:
To clarify icacls syntax in Arnold's post:
icacls c:\foldername\*. /t

Open in new window


This shows the settings on foldername and sub-folders. Be sure to include the trailing star and dot, i.e. *.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.